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1. REAL PARTY IN INTEREST 
J|)lij0i^plication is owned by Microsoft Corporation of Redmond, Washington. 
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n. RELATED APPEALS AND INTERFERENCES 
Upon information and belief, Appellant does not have any knowledge of related appeals 
or interferences that may directly affect or have a bearing on the decision of the Board of Appeals 
and Interferences ("the Board") in the pending appeal. 
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m. STATUS OF CLAIMS 
On August 29, 2000, Appellant filed the pending patent application including 
Claims 1-21, On March 23, 2004, the Examiner issued a first Office Action rejecting 
Claims 1-21. On June 15, 2004, the Appellant filed an Amendment and Response in which the 
Specification and the Abstract were amended. No claims were amended. On November 10, 

2004, the Examiner issued a second Office Action, finally rejecting Claims 1-21. On January 7, 

2005, the Appellant filed a Request for Reconsideration requesting allowance of the instant 
application. On February 9, 2005, the Examiner issued an advisory action stating that the 
Request for Reconsideration had been considered, but did not place this application in condition 
for allowance. On April 18, 2005, the Appellant filed a timely Notice of Appeal. 

This Appeal requests the Board to reverse the rejection of Claims 1-21. The reasons for 
requesting the reversal are set forth below. The claims on appeal are set forth in Appendix VUI. 
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IV. STATUS OF AMENDMENTS 
There are no outstanding amendments to this application subsequent to final rejection. 
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V. SUMMARY OF CLAIMED SUBJECT MATTER 
The present invention is directed towards methods and apparatus for encoding session 
data utiUzed by a server computer, and storing such data as session cookies on a client computer 
in an Internet and World Wide Web ("WWW") network computing environment, while 
minimizing the amount of data transferred between the client and server computers and 
maximizing the amount of information transferred. It is to be understood that the following 
summary of the various exemplary embodiments does not define the scope and/or interpretation 
of any of the claims of this application. Instead, the summary is provided to help the Board 
better recognize claim distinctions discussed hereinafter. 
A. Summarv of Exemplary Subject Matter 

As noted above, the present invention is directed towards methods and apparatus for 
encoding and storing storage data that minimizes the amount of data transferred between a client 
computer and a server computer, while at the same time maximizing the amount of configuration 
information transferred. An exemplary embodiment of the present invention uses encoding and 
storing session data in an encoded and encrypted session cookie in order to maximize the amount 
of configuration information transferred. In particular, an exemplary embodiment of the present 
invention provides a server computer that encodes session data into a session cookie in a tag- 
length-value format to create encoded configuration data. A tag-length-value format encodes 
data by providing a tag identifying the semantic information that a value represents, the length of 
the value, and then the value itself. 

Once the data has been encoded in the tag-length-value format, the server computer 
encrypts the encoded session data using a modified encryption key to create encrypted encoded 
configuration data. The modified encryption key may be formatted, i.e., created, for example, by 
inserting a secret, such as the user's password or e-mail address, into a standard encryption key at 
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a predefined location. The session cookie is then formed by concatenating the secret, the length 
of the secret, and the length of the length of the secret, with the encrypted encoded configuration 
data. The session cookie is then transmitted from the server computer to a client computer, 
where it is stored. 

Figure 6 of the instant application is an exemplary illustration of the foregoing exemplary 
embodiment. 

The construction of cookies as described above confers several advantages, including 
compatibility, flexibility, and security. The tag-length-value format provides forward and 
backward compatibility with existing and future Web server application software. Specifically, 
the server computer may ignore tags that it does not recognize and instead use session cookies 
generated by previous or futm-e versions of the server operating system software. Moreover, the 
server has the flexibility to use tags specific to the services it provides for users, such as tags that 
indicate which language to use for a session, Fiuthermore, the use of a modified encryption key 
substantially reduces the Ukelihood of unauthorized access and modification of the cookie, thus 
enhancing secxuity. 

Another exemplary embodiment of the invention is a data structure stored on a computer 
readable medium, the data structure including first and second data fields. The first data field 
contains data representing a data length identifier and a tag type. The second data field contains 
configuration data of the tag type and has a length described by said data length identifier. 

Figures 4 and 5 of the instant application illustrate a data structure according to an 
exemplary embodiment of the present invention. As is illustrated, an encoded configuration 
data 310 includes at least a tag type 400 and a data length 406. These figures further illustrate 
that the tag 400 is defined by a separate data length identifier 402 and a data type identifier 404. 
The data length identifier may include an extended tag type value 405, if desired. 
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The specific data structure illustrated in Figures 4 and 5 is very advantageous, inasmuch 
as tags associated with other configuration data may be accounted for by way of the data length 
identifier 402 and, in particular, the extended tag type value 405. A more detailed discussion of 
the foregoing maybe found on pages 15 and 16 of the specification of the instant application. 
B. Support for Claimed Subject Matter in the Specification 

1. Claims 1-15 

Independent Claim 1 is directed at a method for storing session data on a client computer, 
comprising encoding the session data in a tag-length-value format to create encoded 
configuration data (Specification, page 16, lines 3-6; Figure 6, block 602). The method fiirther 
comprises encrypting said encoded configuration data using a modified encryption key to create 
encrypted encoded configuration data (Specification, page 6, lines 7-9; Figure 6, block 604). The 
method fiirther comprises concatenating a secret, a length of the secret, and a length of the length 
of the secret with said encrypted encoded configuration data to form a session cookie 
(Specification, page 16, lines 10-14; Figure 6, block 606). The method fiirther comprises 
transmitting said session cookie to said cUent computer (Specification, page 16, lines 14-15; 
Figure 6, block 608). 

Claim 10 depends fi*om Claim 1 via intermediate Claims 2-9 and is directed at generating 
a new session cookie in response to determining that the tag comprises a valid tag (Specification, 
page 6, lines 1-6). 

2. Claims 16-21 

Independent Claim 16 is directed at a computer-readable medium having stored thereon a 
data structure comprising a first data field and a second data field. The first data field contains a 
data length identifier and a tag (Specification page 14, line 24; Figures 4 and 5, references 400 
and 406). The second data field contains configuration data of the tag type and having a length 
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described by the data length identifier (Specification, page 14, Unes 29-30; Figures 4 and 5, 
references 402 and 404). 

Claim 17 depends from Claim 16 and recites that said data structure further comprises a 
plurality of additional data structures comprising one of said first data field and one of said 
second data field for a plurality of tags (Specification, page 14, lines 29-31; Figures 4 and 5, 
references 402 and 404). 
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VI. GROUNDS OF REJECTION TO BE REVIEWED ON APPEAL 

The final Office Action dated November 10, 2004 ("Office Action"), rejected all the 
pending claims of the instant application on the following grounds. 

Ground 1 : Independent Claim 16 and dependent Claim 17 were rejected under 35 U.S.C. 
§ 102(b) as being anticipated by Spies et al, U.S. Patent No. 5,689,565 ("Spies"). 

Groimd 2 : Independent Claim 1 and dependent Claims 2-7 and 12-15 were rejected 
under 35 U.S.C. § 103(a) as being unpatentable over Shrader et al., U.S. Patent No. 6,374,359 
("Shrader"), in view of Quimby, U.S. Patent No. 5,367,573 ("Quimby"), and fiirther in view of 
Hardy et al., U.S. Patent No. 5,623,546 ("Hardy"). 

Ground 3 : Claims 8-11 were rejected under 35 U.S.C. § 103(a) as being unpatentable 
over Shrader, as modified by Quimby and Hardy, and fiirther in view of Becker et al, U.S. Patent 
No. 6,557,038 ("Becker"). 

Applicant requests a review of all of the foregoing grounds in this appeal. 
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Vn. ARGUMENT 

Applicant presents the following arguments on the merits of the application and claims 
therein with regard to each groxmd of rejection. 
A. Summary of References 

The following summaries of references cited in the Office Action mainly focus on those 
aspects disclosed by the references that were referred to in rejecting the claims, and does not 
include other aspects of the references that are of little or no relevance to the present grounds of 
rejection. 

Spies 

Spies is generally directed at a cryptography system providing functionality to 
applications requiring encryption. Cryptography is used to securely transfer information over a 
commimication system that is presumed to be insecure. Figure 9 illustrates a data structure used 
to carry information between parties in a communication session. The data structure comprises a 
tag-length-value format that uses three data fields each of which carry a single type of data, 
namely, an identifier or tag field, a length field, and a value field, in contrast to the present 
invention where, as illustrated in Figure 4, the tag field 400 in the data structure carries two 
distinct data types, namely, a data length identifier and a data type identifier, providing for 
extended tag types. 

In summary, while Spies purportedly teaches a data structiu"e having a tag-length-value 
format, as discussed more fiilly below. Spies does not teach the data structure recited by the 
claims to which Spies has been applied (Claims 16 and 17) and, thus, does not anticipate those 
claims. 
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Shrader 

Shrader is generally directed at client-server Web-based transaction processing and in 
particular to authenticating users to access applications running on a Web server. Shrader 
purportedly discloses the dynamic use and validation of Hyper Text Transfer Protocol ("HTTP") 
cookies for authentication by an application running on a Web server. More specifically, Shrader 
purportedly discloses a method for constructing a cookie value using an encryption and encoding 
scheme. The cookie is a character string (such as ASCII characters) that is generated by the Web 
server and sent to the client Web browser upon user login to an application running on the Web 
server. The cookie is generated by concatenating at least a user name and password and client 
machine IP (Intemet Protocol) address together and encrypting the result into a binary string. 
The cookie is subsequently sent back to the Web server which determines whether the cookie is 
valid by decrypting the cookie and verifying that the IP address belongs to the client machine and 
that the user name and password are valid. If the cookie is valid, then the user is granted access 
to the application running on the Web server. In contrast, the present invention generates a 
cookie by concatenating a secret, the length of the length of the secret, the length of the secret, 
and the encrypted encoded session data, as illustrated in Figure 3A. 

In summary, Shrader does not disclose the method of cookie generation that is recited in 
the claims in the present application to which Shrader has been applied (Claims 1-15). 

Ouimbv 

Quimby is generally directed at a machine-readable data structure encoding security 
information for use in authenticating electronic documents. Quimby purportedly discloses a 
Signature Unique Identifier ("SID") used in a Signature Data Object ("SDO"), which may be 
generated using date, time, session identification, etc. The SDO is the machine-readable data 
structure that is associated with an electronic document. The SDO is an application-level 
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construct that can be implemented in addition to other security measures in a computer system. 
SDO is formatted as a tag-length-value record comprising an arbitrary number of fields of 
arbitrary length, each field fiirther comprising a tag to identify the field, a length indicator to 
indicate a field length, and the value of the field. An electronic business document may be 
routed, tracked, and authenticated in a wide-area network environment using SDOs. In contrast 
to the present invention, SDO is not used in constructing session cookies in a Web environment. 
Additionally, the SDO's tag-length- value format does not indicate concatenating a secret, a length 
of the secret, and a length of the length of the secret as recited by the claims in the present 
invention. 

In summary, while Quimby discloses the use of tag-length- value format in encoding data 
records, Quimby fails to disclose the features recited in the claims of the present application to 
which Quimby has been appUed (Claims 1-15). 

Hardv 

Hardy is generally directed at security and portable key encrypted data. Hardy 
purportedly discloses a system and method for allowing portable encrypted data to be accessed 
through multiple hosts, including new hosts, without requiring a secure link to the new hosts. 
Hardy fiirther discloses the use of a split-key encryption system that stores encrypted data and 
one split of the encryption key on a portable device. A password-modified key is made and 
stored on the portable device by combining a password with the encryption key. When the 
portable device is connected to a new host, the data on the host can be accessed using the 
password-modified key. When the user attempts to access the data on the new host, the portable 
device asks for the password, and if a valid password is entered, then access to data is granted to 
the user. In contrast, the claims of the present application recite concatenating a secret, a length 
of the secret, and a length of the length of the secret to construct a cookie. 
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In summary, while Hardy purportedly discloses password-modified encryption keys, 
Hardy fails to disclose claimed features not disclosed in Shrader and/or Quimby. 
Becker 

Becker is generally directed at a method for maintaining session states in data processing 
systems using a stateless protocol. Becker purportedly discloses a session as a logical connection 
between two networked computer systems that can be activated and configured as requested. A 
session state is a collection of data items used by a web application whose lifetime extends 
beyond a single HTTP transaction. A client browser in this network environment periodically 
performs a "keep-alive" operation on the session to prevent the session fi-om timing out and 
ending during use. Becker discloses a software process that periodically receives an indication 
from a client for a particular session state. As a result, the process resets a timer associated with 
the session state, resetting the time period for the session state. While Becker discloses resetting 
a session timer, Becker does not disclose the transmission of a new session cookie. In contrast, 
the claims of the present application to which Becker has been appUed recite the construction and 
transmission of a new cookie in response to a valid tag obtained from the current session cookie. 

In sunmiary, while Becker discloses resetting a session timer, Becker fails to disclose the 
claimed features missing from Shrader, Quimby, and Hardy. 
B. Ground 1: Claims 16-17 Rejected Under 35 U.S.C. § 102(b) 

Claims 16 and 17 stand rejected xmder 35 U.S.C. § 102(b) as being anticipated by Spies. 
For the reasons discussed below. Applicant respectfiiUy submits that Spies fails to teach or 
suggest the recitations of independent Claim 16. Moreover, Spies is similarly deficient with 
respect to the rejected dependent Claim 17. Additionally, Claim 17 is allowable at least due to 
its dependence upon allowable independent Claim 16. 
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1. Rejection of Independent Claim 16 

Independent Claim 16 sets forth a combination of limitations including "a first data field 
containing data representing a data length identifier and a tag type" (emphasis added). Thus, 
Claim 16 recites a "first data field" that includes both " a data length identifier " and " a tag type " 
(emphasis added). Spies fails to teach or suggest at least this limitation of independent Claim 16. 

Spies purportedly discloses a cryptography system and method for providing 
cryptographic services for a computer application. According to Spies, and as illustrated in 
Figure 9 of the patent, a communication data structure may include a data structure 140 used to 
carry a package that is exchanged between participants or between a participant and a trusted 
authority. Spies, Col. 15, lines 62-65. The tag-length-value (TLV) data structure 140 consists of 
three parts: an identifier field 142 (which is also known as the "tag"), a length field 144, and a 
value field 146 . Spies, Col. 16, lines 4-6. The identifier field or tag 142 of Spies is a fixed-sized 
field that identifies the commerce data contained in the package. The length field 144 is a 
variable-sized field that contains the length of the commerce data, in bytes, contained in the 
package. The three specific fields 142, 144, and 146 are those that are included in the data 
structure 140. The data structure 140 does not include a field that contains data representing both 
"a data length identifier mid a tag type." The identifier field 142 of the data structure 140 
identifies the commerce data contained in the package, i.e., it is a tag data field. The identifier 
field does not contain a data length identifier. Spies does not disclose or suggest data structure 
fields capable of containing data that identifies two distinct data types. In contrast. Claim 16 
recites that the first data field set forth in independent Claim 16 includes "data representing the 
data length identifier and a tag type" (emphasis added). Furthermore, Claim 16 recites a two-tier 
data structure , i.e., a data structure having two types of data within a single data structure field. 
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In contrast, Spies teaches a single-tier data structure , i.e., a data structure having one type of data 
within each field of the data structure. 

The "Response to Arguments" section of the final Office Action states that the applicant's 
arguments with respect to Claims 16 and 17 are unpersuasive. In particular, the final Office 
Action states that "[t]he claim never states the data structure is required to carry two distinct data 
types." Furthermore, the Office Action states that one TLV data structure can contain one type of 
data, while another TLV data structure can contain a different type of data." It is unclear firom 
the foregoing statements how multiple TLV data structures teach or even remotely suggest a 
two-tier data structure, much less the two-tier data structure recited in independent Claim 16 and 
discussed above. The data structure 140 of Figure 9 of Spies includes an identifier field 
(tag) 142, a length field 144, and a value field 146. Spies describes what is contained in the 
identifier field (tag) 142. According to Spies, the identifier field 142 is a fixed-size (e.g., 32 bit) 
field that defines or identifies the data contained in the package. Nothing further is discussed in 
relation to the identifier field (tag) 142. In contrast. Claim 16 recites: "a first data field 
containing data representing a data length identifier mid a tag type" (emphasis added). As 
discussed above, clearly the "first data field" includes data that has two parts : "a data length 
identifier and a tag type" (emphasis added). Nothing in Spies teaches or suggests that the 
identifier field (tag) 142 is capable of including two parts, much less the two parts recited in 
independent Claim 16. As a result, applicant submits that Spies fails to anticipate Claim 16, and 
thus Claim 16 is allowable, and requests that this Board reverse this groimds of rejection of the 
final Office Action. 

2. Rejection of Dependent Claim 17 

Claim 17 is submitted to be allowable due to its dependence upon an allowable 
independent claim (Claim 16) and for additional reasons discussed below. Claim 17 is 
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dependent on Claim 16 and recites: "said data structure further comprises a plurality of 
additional data structures comprising one of said first data field and one of said second data field 
for a plurality of tags" (emphasis added). Spies does not teach or suggest a data structure fiirther 
comprising a plurality of additional data structures for a plurality of tags. Spies illustrates in 
Figure 9 "a data structure 140 used to carry each package .... It is used to encapsulate the 
messages and the message components." Spies, Col 15, lines 63-67. Spies does not teach or 
suggest the use of a plurality of additional data structures constituting extended tags, and each 
further comprising one of said first data field and one of said second data field. Therefore, 
Claim 17 is submitted to be allowable. 

In view of the above comments, applicant respectfully requests that this Board reverse 
final Office Action rejection of Claim 17 under 35 U.S.C. § 102(b). 
C. Ground 2: Claims L 2-7 and 12-15 Rejected Under 35 U.S.C. § 103(a) 

Claims 1-7 and 12-15 stand rejected under 35 U.S.C. § 103(a) as being unpatentable in 
view of the teachings of Shrader, U.S. Patent No. 6,374,359, taken in view of the teachings of 
Quimby, U.S. Patent No. 5,367,573, and further taken in view of the teachings of Hardy, 
U.S. Patent No. 5,623,546. For the reasons discussed below, appUcant submits that the cited 
references, taken alone or in any motivated combination, fail to teach or suggest the features 
recited in independent Claim 1 . The cited references are similarly deficient with respect to the 
claims dependent from Claim 1 included in this group of claims. Thus, the dependent claims are 
allowable due to their dependence upon an allowable independent claim and for additional 
reasons. 

1. Rejection of Independent Claim 1 

Among other recitations, independent Claim 1 recites "concatenating a secret, a length of 
the secret, and a length of the length of the secret with said encrypted encoded configuration data 
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to form a session cookie." The cited references, singly or in any motivated combination, fail to 
teach or suggest this recitation of Claim 1. Shrader discloses the dynamic use and validation of 
HTTP cookies for authentication. Shrader further discloses that a cookie value routine 42 is 
initiated when a server-driven graphical user interface verifies a usemame and a password sent to 
a server from a login panel of a user's web browser. The cookie value routine 42 constructs a 
cookie value that includes a usemame, password, and IP address. Shrader, Col. 7, lines 16-21. 
Shrader does not teach or suggest concatenating a secret, a length of the secret, and a length of 
the length of the secret. Shrader discloses that the usemame and password may be included in 
the constmction of the cookie, but Shrader does not teach or suggest using a length of the secret 
and a length of the length of the secret in any form in the constmction of the cookie, let alone 
teach specifically that these quantities be concatenated to form the cookie. 

Quimby also does not teach or suggest concatenating a secret, a length of the secret, and a 
length of the length of the secret. Quimby discloses that character-string data may be encoded in 
a tag-length-value format with an arbitrary number of fields, each field comprising a tag, a 
length, and a value. Therefore, Quimby fails to supply the teachings missing from Shrader. Nor 
does Hardy make up for the deficiencies of Shrader and Quimby. Hardy does not teach or 
suggest concatenating a secret, a length of a secret, and a length of the length of the secret. 

The modified rejection of Claims 1-7 and 12-15 under 35U.S.C. § 103(a) states that 
Shrader teaches "[c]oncatenating a secret, a length of the secret, and the length of the length of 
the secret with said encrypted encoded configuration data to form a session cookie. Office 
Action, page 3, paragraphs; Shrader, Col. 7, lines 16-21. In the Response to the Arguments 
section of the Office Action (page 12, end of second paragraph), the Examiner states that "[t]he 
length field would then also be dynamic in size, so a length of the length field, which is static, 
could describe the length field, which then describes the cookie data" (emphasis added). The fact 
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that a reference could perform a particular function is not a teaching that the reference does 
perform the function. The fact that a function could be performed is mere speculation, it is not a 
teaching. In summary, Shrader, singly or in any motivated combination with other cited 
references, i.e., Quimby and Hardy, does not teach or suggest concatenating a secret, a length of 
secret, and a length of length of secret in constructing a cookie. 

A proper rejection imder 35 U.S.C. § 103(a) requires that each and every element recited 
in the claim being rejected must be taught by the rehed on combination of references. 
Additionally, the rejection must indicate a reasonable motivation for combining the references, or 
the references must disclose such a motivation. That is, the motivation must either come from 
the references themselves, or must be reasonably based on the expertise of those having ordinary 
skill in the art. Applicant respectfully submits that the above-indicated conclusory statements set 
forth in the final Office Action do not satisfy the foregoing standards required for a rejection 
under 35 U.S.C. § 103(a). More specifically, as noted above, the revised rejection imder 
35 U.S.C. § 103(a) states that the teachings of Schrader et al. " could " teach a certain limitation 
set forth in rejected independent Claim 1. (See page 12, last sentence of second paragraph of 
current Office Action.) Applicant submits that this line of reasoning: (i) requires designing a 
new data structure not taught or suggested by any of the cited references, singly or in any 
motivated combination; (ii) is only supported by hindsight knowledge; (iii) is conclusory; and, 
thus, (iv) is insufficient to support a proper rejection under 35 U.S.C. § 103(a). An invention is 
not obvious just because a reference "could" have performed a particular function or prior art 
"could" have been combined. In the case of In re Fritch, the Federal Circuit stated that this type 
of conclusory statement is merely "hindsight reconstruction" that is insufficient and improper 
reasoning for supporting an obviousness rejection. 
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In summary, since Shrader, Quimby, and Hardy, both singly and in any motivated 
combination, fail to teach or suggest at least "concatenating a secret, a length of the secret, and a 
length of the length of the secret with said encrypted coded configuration data to form a session 
cookie," the requirements for rejection of Claim 1 under 35 U.S.C. § 103(a), as discussed above, 
have not been satisfied. As a result, applicant respectfiiUy requests that this Board reverse the 
final Office Action rejection of independent Claim 1, and the rejection of Claims 2-7 and 12-15 
dependent thereon. 

D. Ground 3: Claims 8-1 1 Rejected Under 35 U.S.C. S 103(a) 

Claims 8-11 depend fi-om Claim 1 and are thus allowable at least because of the 
allowability of Claim 1 . 

Dependent Claim 10 recites: "in response to determining that said tag comprises a vaUd 
tag, (i) generating a new session cookie ,..." (Emphasis added.) The final Office Action states 
that "the combination of Shrader et al. as modified by Quimby and Hardy et al. and further in 
view of Becker et al. teaches" the above mentioned feature. Office Action, page 9, paragraph 2. 
The final Office Action directs attention to Figure 4, reference number 80 of Shrader as teaching 
this feature. Applicant disagrees. Shrader, in combination with other cited references, fails to 
teach or suggest the foregoing feature recited in Claim 10. Figure 4 of Shrader illustrates a 
flowchart for constructing a cookie value. Shrader discloses that when the LDAP GUI CGI 
verifies the user name and password sent to it fi-om the login panel of the user's web browser, the 
routine begins at step 80 by constructing a cookie value. Shrader, Col. 7, lines 16-18. Therefore, 
at best, Shrader in view of Becker discloses the construction of a single LDAP cookie once only 
after user login, the same cookie being periodically validated. Shrader, Col, 5, lines 59-62; 
Becker, Col. 6, lines 3-13. In contrast. Claim 10 recites the construction of a new session cookie 
in response to a valid tag obtained fi-om the (current) session cookie . Shrader, singly or in any 
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motivated combination with the other cited references, Quimby, Hardy, and Becker, simply does 
not teach or suggest the foregoing feature recited in Claim 10. Therefore, Claim 10 is submitted 
to be allowable for reasons in addition to the reasons why the claims for which Claim 10 depends 
are allowable. 

In view of the above conraients, applicant respectfully requests that this Board reverse the 
final rejection of Claims 8-11. 
Conclusion 

In summary, applicant respectfully submits that the grounds of rejection set forth in the 
final Office Action are in error and requests this Board to reverse the final Office Action and 
allow all of the rejected claims. 
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Vm. CLAIMS APPENDIX 

1. A method for storing session data on a client computer, 
comprising: 

encoding said session data in a tag-length-value format to create 
encoded configuration data; 

encrypting said encoded configuration data using a modified 
encryption key to create encrypted encoded configuration data; 

concatenating a secret, a length of the secret, and a length of the 
length of the secret with said encrypted encoded configuration data to form 
a session cookie; and 

transmitting said session cookie to said client computer. 

2. The method of Claim 1, wherein said modified encryption 
key comprises a standard encryption key with said secret inserted at a 
predefined location. 

3. The method of Claim 2, wherein said modified encryption 
key further comprises a time stamp indicating a time at which said 
modified encryption key is created. 

4. The method of Claim 3, further comprising: 
requesting said session cookie jfrom said client computer; 
receiving said session cookie from said client computer; 
extracting said secret from said session cookie; 

creating said modified encryption key by inserting said secret 
extracted from said session cookie into said standard encryption key at 
said predefined location; and 
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decrypting said session data from said cookie using said modified 
encryption key. 

5. The method of Claim 4, further comprising: 
decoding a tag from said session data; 
determining whether said tag comprises a valid tag; and 

in response to determining that said tag comprises a vaUd tag, 
configuring said server using data contained in said tag. 

6. The method of Claim 5, fiirther comprising: 

in response to determining that said tag does not comprise a vaUd 
tag, determining whether additional tags remain to be decoded from said 
encoded configiu-ation data; and 

in response to determining that additional tags remain to be 
decoded, decoding a next tag and determining whether said next tag 
comprises a valid tag. 

7. The method of Claim 6, further comprising: 

in response to determining that said next tag comprises a vaUd tag, 
configuring said server using data contained in said next tag. 

8. The method of Claim 7, further comprising: 

in response to determining that additional tags do not remain to be 
decoded, periodically authenticating said session cookie. 

9. The method of Claim 8, wherein periodically authenticating 
said session cookie comprises: 

starting a session timer; 

determining whether said session timer has elapsed; and 
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in response to determining that said session timer has elapsed, 

(i) requesting said session cookie from said client computer, 

(ii) decrypting and decoding a tag contained in said session 
cookie, and 

(iii) determining whether said tag comprises a valid tag. 

10. The method of Claim 9, further comprising: 

in response to determining that said tag comprises a valid tag, 

(i) generating a new session cookie, 

(ii) transmitting said new session cookie to said client 
computer, and 

(iii) resetting said session timer. 

1 1 . The method of Claim 9, further comprising: 

in response to determining that said tag does not comprises a valid 
tag, ending a communications session between said server computer and 
said client computer. 

12. A computer-readable medium containing computer- 
readable instructions which, when executed by a computer, perform the 
method of Claim 1. 

13. A computer-readable medium containing computer- 
readable instructions which, when executed by a computer, perform the 
method of Claim 2. 

14. A computer-controlled apparatus for performing the 
method of Claim 1. 
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15. A computer-controlled apparatus for performing the 
method of Claim 2. 

16. A computer-readable medium having stored thereon a data 
structure, comprising: 

a first data field containing data representing a data length 
identifier and a tag type; and 

a second data field containing configuration data of said tag type 
and having a length described by said data length identifier, 

17. The computer-readable medium of Claim 16, wherein said 
data structure fiirther comprises a plurality of additional data structures 
comprising one of said first data field and one of said second data field for 
a pluraUty of tags. 

18. The computer-readable medium of Claim 17, wherein said 
data length identifier comprises the first two bits of said first data field. 

19. The computer-readable mediimi of Claim 17, wherein said 
data length identifier comprises data indicating that the length of said 
second data field is one byte. 

20. The computer-readable medium of Claim 17, wherein said 
data length identifier comprises data indicating that the length of said 
second data field is four bytes. 

21. The computer-readable medium of Claim 17, wherein said 
data length identifier comprises data indicating that said tag type 
comprises an extended tag type. 
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None 
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X. RELATED PROCEEDINGS APPENDIX 



None 



RespectfiiUy submitted, 
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